Tracing Cross Border Web Tracking Costas Iordanou Georgios Smaragdakis TU Berlin / UC3M TU Berlin [email protected] [email protected] Ingmar Poese Nikolaos Laoutaris BENOCS Data Transparency Lab / Eurecat [email protected] [email protected] ABSTRACT 1 INTRODUCTION A tracking ow is a ow between an end user and a Web track- Online advertising, including bahavioral targeting over the Real ing service. We develop an extensive measurement methodology Time Bidding protocol (RTB) [62], fuels [26] most of the free ser- for quantifying at scale the amount of tracking ows that cross vices of the web. In its principle, the concept of targeted (or per- data protection borders, be it national or international, such as the sonalized) advertising is benign: products and services oered to EU28 border within which the General Data Protection Regulation consumers that they truly care about. It is in its implementation and (GDPR) applies. Our methodology uses a browser extension to fully actual use when controversies arise. For example, tracking should render advertising and tracking code, various lists and heuristics to respect fundamental data protection rights of people, such as their extract well known trackers, passive DNS replication to get all the desire to opt-out, and should keep clear from sensitive personal IP ranges of trackers, and state-of-the art geolocation. We employ data categories, such as health, political beliefs, religion or sexual our methodology on a dataset from 350 real users of the browser orientation. One of the most important changes on how to process extension over a period of more than four months, and then gener- and store personal data is the European Union General Data Protec- alize our results by analyzing billions of web tracking ows from tion Regulation (GDPR) [5]. GDPR oers protection to European more than 60 million broadband and mobile users from 4 large citizens across a wide range of privacy threats, including tracking European ISPs. We show that the majority of tracking ows cross on sensitive categories such as those mentioned above. Now that national borders in Europe but, unlike popular belief, are pretty Europe’s new data protection law is in place (implementation date well conned within the larger GDPR jurisdiction. Simple DNS of the GDPR across the European Union was on May 25, 2018; the redirection and PoP mirroring can increase national connement regulation entered into force on May 24, 2016), the next challenge while sealing almost all tracking ows within Europe. Last, we becomes implementing it in practice. GDPR has provisions that show that cross boarder tracking is prevalent even in sensitive and include steep nes reaching up to 4% of worldwide turnover or hence protected data categories and groups including health, sexual 20 million euros, whichever is higher, for any company found in orientation, minors, and others. violation. Monitoring the eectiveness of the law, investigating complaints, and prosecuting violators can only be carried out based on sound factual data. The measurement community, therefore, CCS CONCEPTS has an important role to play in developing the necessary new • Information systems → Online advertising; • Security and methodologies and in collecting data for GDPR related topics and privacy → Privacy protections; • Networks → Network mea- investigations. surement; Location based services; • Applied computing → Law; A fast growing body of literature already exists around top- ics such as “What information is leaking while users navigate ACM Reference Format: the web with xed [28–30, 35, 41, 43, 44, 51, 58, 61] or mobile de- Costas Iordanou, Georgios Smaragdakis, Ingmar Poese, and Nikolaos Laoutaris. vices?” [42, 52, 53, 60], “Who is collecting it?” [29, 52, 58], “How is it 2018. Tracing Cross Border Web Tracking. In 2018 Internet Measurement being collected?” [27, 47, 57], “What is its nancial worth?” [48, 49], Conference (IMC ’18), October 31-November 2, 2018, Boston, MA, USA. ACM, “Which are the potential hazards for citizens?” [45], etc. (see Sect. 8 New York, NY, USA, 14 pages. https://doi.org/10.1145/3278532.3278561 for more related work). An area, however, that has received rela- tively small attention has to do with the geographical aspects of tracking, including questions such as: Where is the back end of a tracker?, How far does a tracking ow go?, Which borders does it Permission to make digital or hard copies of all or part of this work for personal or cross?, What can be done to contain tracking within a certain data classroom use is granted without fee provided that copies are not made or distributed protection jurisdiction? for prot or commercial advantage and that copies bear this notice and the full citation Extracting the geographical footprint of trackers and tracking on the rst page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, ows is dicult for a number of reasons: It requires having access to post on servers or to redistribute to lists, requires prior specic permission and/or a to real tracking ows originating from real users and terminating fee. Request permissions from [email protected]. at dynamically bound trackers. The obtained sample needs to be IMC ’18, October 31-November 2, 2018, Boston, MA, USA © 2018 Association for Computing Machinery. representative, unbiased, and complete in terms of coverage. The ACM ISBN 978-1-4503-5619-0/18/10...$15.00 https://doi.org/10.1145/3278532.3278561 IMC ’18, October 31-November 2, 2018, Boston, MA, USA Costas Iordanou et al. obtained measurements need to be precise, especially in terms of The percentage of such ows crossing borders appears to be • geolocation accuracy. similar with that for general tracking trac. Our contribution: In this paper, we develop a novel measure- ment methodology for mapping the geographic characteristics of 2 BACKGROUND tracking ows at scale. Our methodology is hybrid in nature – it Before delving into technical details, we outline the current legisla- is using fully rendered webpages and executed tracking code to tive and operational setting that motivate our study, and highlight detect tracking ows. For this we use a population of test users the challenges we want to overcome. from the CrowdFlower platform [4] who have installed our browser extension. With trackers identied, we then look them up in large 2.1 Why location matters? NetFlow datasets from entire ISPs. Therefore, our browser exten- As with most things, location matters also with data protection. sion is adding precision, and our lookup step, scale. An important This may seem counter-intuitive since GDPR only requires that intermediate step has to do with guaranteeing the completeness an online service access a European citizen’s data to hold it ac- of the lookup, i.e., that we have identied all the IPs of a tracker, countable independently of the location of its legal or technical and that we conrm that these IPs are dedicated for tracking. For base. Thus a company incorporated in the US with its servers in, this we utilize DNS databases (archived passive DNS records, see for example, Singapore can still get ned if it fails to conform to Sect. 3.3). GDPR requirements while processing data of European citizens. In summary, our methodology manages (i) to double the amount Then why is it important to know whether a tracking ow crosses of tracking ows detected compared to previous simpler approaches, the EU28 borders? The answer is – investigation & enforcement. (ii) improve their geolocation accuracy, and (iii) monitor the track- Indeed data protection complaints can be investigated in greater ing ecosystem continuously for a time period of more than four depth when a Data Protection Authorities (DPA) can be granted months capturing any possible temporal variations. legal access to the tracking backend. This is far easier done when Our ndings: By applying our methodology on data from 350 the tracking end point is within EU28 borders.1 CrowdFlower users and NetFlow data from 60M ISP subscribers, But what about national borders? These are important for ju- we show that: risdiction reasons. Although GDPR is the common data protection Most tracking ows, typically around 90%, originating at law of all EU28 countries, its implementation is left to the corre- • users within EU28 terminate at tracking servers hosted within sponding national DPAs. The national DPA is responsible for the EU28. This result contrasts popular belief, as well as recent handling of a complaint of the citizen or legal entity lling the studies, claiming that most tracking of European citizens complaint. Therefore, it is important to know how many tracking is conducted by trackers physically located outside Europe. ows cross national borders and where the tracking servers are The discrepancy owes to geolocation accuracy, among other physically hosted. reasons. Last but not least, other pieces of legislation exist that may impact Connement within national borders is much lower: peaking on tracking (e.g., security related, protection of minors, data or • at less than 70% in the best case and becoming single digit server logs storage duration etc.), which only have a national scope. for small countries. There exists a correlation between the For these cases it is also important to know whether a tracking ow density level of IT infrastructure of a country, mostly in stays within national borders. terms of datacenters, and the connement of tracking ows within its borders. 2.2 Online tracking over RTB Subsequently, we turn our attention on what can be done to im- Figure 1 depicts a high level block diagram of the dierent entities prove the locality of tracking ows. We consider two mechanisms: involved in targeted advertising over real-time bidding (RTB), one DNS redirection and PoP mirroring.